The Box Multizones SSO feature integrates Box's Multizones feature with SSO functionality to enable you to quickly and easily assign users to specific data residency Zones, and update these assignments.
Box Multizones SSO enables you to streamline your enterprise's onboarding process. When people join your enterprise, Multizones SSO eliminates the need for you to repeatedly run scripts and maintain a file of user-to-Zone mapping for assigning new accounts to Zones on an on-going basis. After you use the admin console to map your enterprise’s location attributes to Zones, when an account holder uses SSO to sign in, Box automatically maps the account to a Zone according to the account's location attribute.
For example, your enterprise may have the following offices (and location attributes) associated with each user:
- Redwood City
- San Francisco
- New York
You could designate the following location attribute to Zone mapping in the Multizones SSO Admin Console page:
When account holders with an associated Redwood City attribute log into Box via SSO, Box automatically maps them and all their content to the US Zone.
Setting up Multizones SSO
To set up Multizones SSO, provide your enterprise's SSO attributes and Zone mapping to Box Consulting.
Box will work with your enterprise to:
- Configure your Identity Provider for Box Multizones SSO setup — you can use the standard integrations your IdP has with Box, or use custom integrations.
- Update your enterprise's new connections within Box for Multizones SSO.
Assigning attribute values to a Zone
After Box configures Multizones SSO for your deployment, you're enabled to assign location attribute values to Zones. After you assign location attributes to Zones, when an account holder signs in, Box assigns the account to a Zone based on the account's location attribute.
To assign locations to a Zone:
- In the admin console's left sidebar, click Enterprise Settings.
- In the top of the window, click User Settings.
- In the Configure Zones Assignment with SSO section, click in a Zone's text field and type the comma-separated list of locations you want to assign to that Zone.
- In the top-right corner of the User Settings window, click Save.
Each time an account holder signs in, Box checks the assigned Zone.
- If you've assigned the person to a different Zone, Box updates your enterprise's SSO configuration and logs the update in the User Activity report.
- If an account assigned to a Zone has an invalid or missing location attribute, the person can still sign in, but Box does not update the account's Zone assignment.
If you do not assign an account to a Zone, Box assigns the account to your enterprise's default.
If you want to update your available Zones — delete Zones, or add new Zones — be sure to work with your account team so Box can provision new Zones accordingly.